4ecc0b602b475f42a8344750a99d718d85c9758c4b9d0354923c8f37f15d1009

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fb77b3ed6ccc33910616df73b490940N.exe
Size

163KB
MD5

4fb77b3ed6ccc33910616df73b490940
SHA1

c91753158b77f563ff15de778cc53d2da6b5fceb
SHA256

4ecc0b602b475f42a8344750a99d718d85c9758c4b9d0354923c8f37f15d1009
SHA512

74a6d8372f72a64b2644774c2c455b08c468b6ab4d53e53e5d830abab879c5d40ee77e50f41a3df35e7567d62b402596ec0fd2d8570228f39eb108e3157da7be
SSDEEP

3072:6e76BoRVtctaTcfWVP2ZQfq6Tl7j66sfmTk3WdK1t:ReiRXqXWVWQVm6S3WYt

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\ExitUninstall.3gp.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	4fb77b3ed6ccc33910616df73b490940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	4fb77b3ed6ccc33910616df73b490940N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb77b3ed6ccc33910616df73b490940N.exe

C:\Users\Admin\AppData\Local\Temp\4fb77b3ed6ccc33910616df73b490940N.exe
"C:\Users\Admin\AppData\Local\Temp\4fb77b3ed6ccc33910616df73b490940N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
163KB

MD5
c19e150640c8c1dd968cbdd4edaf45e1

SHA1
7043860c3f18908ff776cd3393c8e455be03179c

SHA256
753d04d10220ad4e07361c586a6478e78650421d345364ee6ba40b66cd3cd388

SHA512
8cdba65b400a6471cb520c20041bb33d9f87edd501d88746fd79358b9c19df973bdb64dee1e3660a0b956bb926073b36af9721170efe3065c0d37642a06fd25e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
262KB

MD5
9bcc86ee1a5ebb229eb96e67733e4f0a

SHA1
53d691ee131474461e10dd3ad62239c8883aa68e

SHA256
6c228acdef58b7807638a8df993c7690579a8769fa9479c362866f03780b1605

SHA512
60675a1e77f9e8677a163fa3c2ab5598a2be006726b99106f54c97764be70e09f33722e780e68396685f79bd9914cee008622eb00ce506a345772f6a3ce6f47f

Download Submit